29453089
submission
ddonzal writes
"Author, instructor and professional hacker, Thomas Wilhelm, writes, "One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs “Why do you want a lab?”
Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment.""Link to Original Source
29399707
submission
ddonzal writes
"New Monthly Columnist for The Ethical Hacker Network, Chris Hadnagy of www.social-engineer.org, pens his first article,"Over the last year social engineering has gotten a lot of press. From the attacks on companies like Sony, HB Gary, PBS, Citibank et al to contests like the Social Engineering CTF at Defcon, it seems that social engineering has taken the front page. And rightfully so, as it is still the easiest and often most effective vector of attack. With that in mind, many people are interested in learning what it will take to either add social engineering skills to their tool chest (either personally or as part of their red team) or even become a full-time, professional social engineer.
And that was the impetus behind Chris Hadnagy's new monthly column exclusively at The Ethical Hacker Network, how to become a professional social engineer. So to get the ball rolling, I compiled this Top 5 List to help each person make this a career path or at least add it to their present security practices. As we move through the coming months, we’ll explore the history, methodologies and practical experiments in attacking the human. It will not only be educational but eventually lucrative for you and your organizations.""Link to Original Source
29365085
submission
ddonzal writes
"Article on The Ethical Hacker Network by Eli Sowash, CISSP, "As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional’s toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.
It’s the job of an organization’s executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.
We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips I’ve found that help to explain our world to the businesses we’re protecting.""Link to Original Source
29364765
submission
ddonzal writes
"CompTIA has been a stalwart in the IT certification arena for quite a number of years. They have dominated the space with such recognized credentials as A+, Linux+, Security+ and many others. Their certifications have been highly recommended by The Ethical Hacker Network (EH-Net) as well as countless others as an entry-point into a given area of IT. But can CompTIA help advance the careers of those already in the field of their choice within IT?
Enter CompTIA’s newest line of industry credentials, the Mastery Series of Certifications. The first offering from this new line is the CompTIA Advanced Security Practitioner, CASP (pronounced C-A-S-P like an acronym as opposed to ‘casp’ like a word). At first glance, it would appear as though CompTIA is taking on ISC2 and the venerable CISSP. After a closer look, this isn’t quite the case. Let’s find out more from Carol Balkcom, CompTIA’s Director and Product Manager for the CASP."Link to Original Source
29319151
submission
ddonzal writes
"New tutorial by columnist for The Ethical Hacker Network, Chris Gates, CISSP, CISA, GCIH, GPEN, "In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering. A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it. I also showed some Metasploit modules to help you accomplish all of it.
In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal). I’ll focus on Oracle 9i and 10g up to Release 2. With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series. But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff. So, let’s get to it.""Link to Original Source
29318531
submission
ddonzal writes
"Article & Video by Dan Honkanen, GCIH, Security+, ITIL, et al on The Ethical Hacker Network, "Keyloggers are usually one of the top picks for a hacker or a spy's best friend. They basically serve as the eyes and ears of the attacker. They can be based on software or hardware and send detailed reports including the user's passwords, chat logs, all typed text, launched applications and visited websites. They can even send screenshots to visually show what the user was viewing as well as any webcam and microphone activity. Most laptops today come with a built-in webcam and microphone and don't usually give any signal that they have been enabled. Any person who uses that computer will have all their activities monitored and recorded in an encrypted log which only the attacker can access.
In this video, I will present the basics of keyloggers and also demonstrate a couple of my favorite keyloggers, their features, how hidden they are and how to prevent and detect keyloggers in general. At the end of this primer, the viewer should be able to fully understand where keyloggers fit into both sides of the equation.""Link to Original Source
18194168
submission
ddonzal writes
""Dissecting the Hack: The F0rb1dd3n Network, Revised Edition" by Jayson E. Street, Kent Nabors and Brian Baskin is not intended for the average reader of The Ethical Hacker Network, and this is what makes the book so intriguing. The forward specifically points out how hard it is to speak with management about security, and how lost they get. It even comes complete with an explanation of the "glazed over eyes." Talking with decision makers is a topic often overlooked, and something that needs to be explored and dissected. At the end of the day, no matter how great you think your idea is, if you don't get management buy-in, the idea dies and you are forced to re-bury your department's head back in the proverbial sand.
I would imagine that at this point most readers are affirmatively shaking their heads, because by and large most managers/executives know very little about information security. I personally have dealt with this on more than one occasion, painstakingly detailing the largest (most obvious) vulnerabilities and the most cost efficient way to mitigate these risks. After I finished (each time) I was met by the aforementioned blank stares and confused looks. I was thanked for my effort, no changes were made, and I eventually left frustrated and annoyed. My chances of getting through to these decision makers may have improved if "Dissecting the Hack" had been in my arsenal.
Use link below to see entire review:"Link to Original Source
18193886
submission
ddonzal writes
"What does the average security professional know about wireless technology, and wireless security in particular? Sure, it's easy to pwn WEP... but unfortunately, this is the extent of most people's knowledge. Many security testing firms even view wireless security as an "afterthought" or a separate practice entirely.
With the second edition of Hacking Exposed: Wireless, Johny Cache, Josh Wright, and Vinnie Liu aim to teach us all that there's a lot more to wireless security than WEP cracking. For those who follow the wireless world, the names of these three should be immediately familiar. Josh and Johny, in particular, have long been known as thought leaders in the wireless security space and have written or contributed to many of the tools and research used in the field. And with this fully revised and expanded edition of the book, these three great minds have come together, and the end product is an excellent book that covers some of the most cutting-edge technology while remaining very readable and down-to-earth. It's a book that deserves space on any hacker's bookshelf.
The book is arranged into three major sections. About two-thirds of the book is dedicated to 802.11 technology with sections dedicated to attacking both infrastructure and clients. The remaining third of the book is dedicated to three emerging wireless technologies, Bluetooth, ZigBee, and DECT.
Click link below to see entire review by Jon Janego"Link to Original Source
18191426
submission
ddonzal writes
"Happy Holidays, challenge fans! Ed Skoudis here, with this year's holiday hacking challenge. Have you ever seen the classic video "A Charlie Brown Christmas," and pondered why Charlie Brown is so "upset at the start of the video? Also, have you ever wondered why the rest of the Peanuts gang is so focused on the materialism of the Christmas season? Well, this year's hacking challenge answers these questions. In our tale, you'll discover that something happened before the start of the Charlie Brown Christmas video that put these characters into such a state. That something is what we like to call "The Nightmare Before Charlie Brown's Christmas." These challenges, which are an annual tradition here at EthicalHacker.net, are designed to help people develop their skills, show off their abilities, and have some fun. During past holiday seasons, you got to tangle with the Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself. And who can forget last year's Miracle on Thirty-Hack Street. Read this challenge, answer the questions, and send your responses in by January 3, 2011. We'll choose three winners, each of whom will get an autographed copy of my Counter Hack Reloaded book. One prize will go to the best technical answer, another to the most creative answer that is technically correct, and the final prize is based on a random draw from every person who submits an answer. Even if you have no idea whatsoever for how to answer the questions, send in your best shot to be entered in the random draw. And now, without further adieu, the curtain rises on our story... http://www.ethicalhacker.net/content/view/344/2/"Link to Original Source
